Is my web app & table storage sufficiently secured from public facing internet?
Intro:
I have an asp.net core app service hosted in Azure. This app service has an API controller that reads/writes to an Azure Table Storage. The code for this is using Azure.Data.Table library w/ an Access Key that i setup from the Azure portal (for the table storage).
Now, under the storage account / Networking blade, I have selected the "Enabled from All Networks".
Question:
Does this mean this storage account is open to the entire internet? I am confused whether this is secured because my code is accessing it via the Access Key (which I mentioned above).
Thank you.
Regarding the settings above, Enabled from all networks means the storage account endpoints (i.e. blob, table, queue, etc.) will accept traffic from the internet but you still need access key to view any data.
Enabled from selected virtual networks and IP address means that traffic will only be allowed from resources on the same VNET or specific IP address that you've configured e.g. your local device public IP provided by your ISP. This is a more secured method because you essentially whitelisting your what can connect.
Disabled means nothing outside of Azure can access the storage account and you will connect via Private Endpoint.
If your access key is inside your code, then this isn't the best secured method. You would want to have your connection with access key in either Application Settings so it can be retrieved as an environment variable or through Azure Key Vault. Using Key Vault allows you dictate what service or user can retrieve that value.
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- QueueTrigger Azure function not processing message and exhibiting bizarre behavior
- Azure App Service Load Balancing "SiteLoadBalancing.LeastRequests" is "Least Active Requests"?
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Azure Front Door unable to connect with wss/websync (websocket secure)
- How to shutdown one instance of an app service in azure
- Can we not set Allowed Headers for Azure App Service?
- Minimum elastic instance count Azure App Service
- Why are Azure Resource Groups associated with a specific region?
- Run Express server with my NodeJS app via Azure App Service deployed to Azure Container
- ReactVite Express NodeJs Azure app service. 404 The resource you are looking for has been removed, had its name changed, or is temporarily unavailable
- Python bot can’t be deployed to azure web app
- Prevent cookie being logged to azure web app linux HTTP logs
- Why is HTMX's hx-post on a form element causing a Mixed Content Error?
- Move Azure Web Apps into new Azure App Service Plan?
- Azure app service Configuration ambiguity
- No sign-in screen when accessing my Azure Web App
- What to do, given mTLS with HTTP Version 2 is not available in Azure App Service?
- Why does deploying to azure web app fails with no apparent error? How can i retrieve better error logs to fix the issue?
- Is there a way to mount Azure File Share on Web App via Key Vault Reference using Bicep?
- How to change Wiki JS favicon deployed in Azure Web App?
- Deploying models to web service in private network on Azure Machine Learning
- How to connect a Web App to a SQL database on Azure using Managed Identities?
- Getting "BadRequest" when trying to deploy web app networking settings using Bicep trmplate
- Connecting to an Azure website via FTP using Azure login credentials
- AADSTS50012: Invalid client secret is provided when moving from a Test App to Production
- Is there a workaround to keep app settings which not defined in Bicep template?
- Change Environmet Variables at runtime (React, vite) with docker and nginx
- Deploy web app to Azure but still showing Microsoft page instead